RubyGems - doorkeeper-openid_connect - Versions diffs - 1.8.11 → 1.9.0 - Mend

doorkeeper-openid_connect 1.8.11 → 1.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (20) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3f528fd39b26ece5800ff5a5cc38b8fdd0945c5bd9298e6a03bad7df0f7fe9c9
-  data.tar.gz: cefcf626ab0f1cbf825a792b529b643081c3be96dcdbc922507e06cd3844218c
+  metadata.gz: b43afb85064c2b12a0837aec166ab720b352813fec7004dfce38cfc0b4338fc6
+  data.tar.gz: de24da5d37377dadf9cb2bffcdf15c2b725075327efe301e0a1c907748ced3b8
 SHA512:
-  metadata.gz: 3a16a5cc0bf3de2e6232900126d111093f6313bc00264ee77e9385260bef586b22152971905b87e728eff7eeb7fde16fd67d73843c13ba88b17925ebc6d41f7b
-  data.tar.gz: d7215370a0be9369fe05a61cd4fee8d2df68a79bdbd104f4cde638e704c83637f23af76369afa532dc68b349f180fdb2ccb6e7772d87647356b0e3018424230e
+  metadata.gz: 0e9c242e0e9dbf48500810be186040b6cdc4afdb564196453a005ae420b9f61e6b104afcfeb1e71be2f9d1356ccca8ec1265a1e8dfdd12a0e796a9d8d19d532e
+  data.tar.gz: b4832c67b7f870e9fa5b7745c5e1ddfd0ded602b0ca2f2cb9a351d4542f88b6e95b230c91cd24332ac6c6e6109035e589062db9c8a03faedf991a44a6ab7ddea

data/CHANGELOG.md CHANGED Viewed

@@ -1,6 +1,17 @@
 ## Unreleased
-- [#PR ID] Add your changelog entry here.
+- Please add here
+## v1.9.0 (2026-03-16)
+- [#229] Allow to application manage signing key and algorithm
+- [#230] Add dynamic client registration
+- [#233] fix: handle `DoubleRenderError` in library instead of requiring consumer workaround
+- [#232] Implements customizable OpenID request class
+- [#236] Derive `token_endpoint_auth_methods_supported` from Doorkeeper's client_credentials config
+- [#225] Allow configuration of id_token expiration using a block.
+- [#237] Fix dynamic client registration returning hashed secret when `hash_application_secrets` is enabled
+- [#226] Respect Doorkeeper's configured `pkce_code_challenge_methods`
 ## v1.8.11 (2025-02-10)

data/README.md CHANGED Viewed

@@ -1,7 +1,7 @@
 # Doorkeeper::OpenidConnect
-[![Build Status](https://github.com/doorkeeper-gem/doorkeeper-openid_connect/workflows/CI/badge.svg?branch=master)](https://github.com/doorkeeper-gem/doorkeeper-openid_connect/actions)
-[![Code Climate](https://codeclimate.com/github/doorkeeper-gem/doorkeeper-openid_connect.svg)](https://codeclimate.com/github/doorkeeper-gem/doorkeeper-openid_connect)
+[![CI](https://github.com/doorkeeper-gem/doorkeeper-openid_connect/actions/workflows/ci.yml/badge.svg)](https://github.com/doorkeeper-gem/doorkeeper-openid_connect/actions/workflows/ci.yml)
+[![Maintainability](https://qlty.sh/gh/doorkeeper-gem/projects/doorkeeper-openid_connect/maintainability.svg)](https://qlty.sh/gh/doorkeeper-gem/projects/doorkeeper-openid_connect)
 [![Gem Version](https://badge.fury.io/rb/doorkeeper-openid_connect.svg)](https://rubygems.org/gems/doorkeeper-openid_connect)
 #### :warning: **This project is looking for maintainers, see [this issue](https://github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/89).**
@@ -150,7 +150,18 @@ The following settings are optional:
 - `expiration`
   - Expiration time after which the ID Token must not be accepted for processing by clients.
-  - The default is 120 seconds
+  - The default is 120 seconds, it can be configured using a value or block.
+    ```ruby
+    # config/initializers/doorkeeper_openid_connect.rb
+    Doorkeeper::OpenidConnect.configure do
+      # ...
+      expiration do |resource_owner, application|
+        # You will have to ensure the application model implements an expiration method
+        application.expiration
+      end
+      # ...
+    end
+    ```
 - `protocol`
   - The protocol to use when generating URIs for the discovery endpoints.

data/app/controllers/concerns/doorkeeper/openid_connect/grant_types_supported_mixin.rb ADDED Viewed

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+module Doorkeeper
+  module OpenidConnect
+    module GrantTypesSupportedMixin
+      def grant_types_supported(doorkeeper)
+        grant_types_supported = doorkeeper.grant_flows.dup
+        grant_types_supported << 'refresh_token' if doorkeeper.refresh_token_enabled?
+        grant_types_supported
+      end
+    end
+  end
+end

data/app/controllers/doorkeeper/openid_connect/discovery_controller.rb CHANGED Viewed

@@ -4,6 +4,7 @@ module Doorkeeper
   module OpenidConnect
     class DiscoveryController < ::Doorkeeper::ApplicationMetalController
       include Doorkeeper::Helpers::Controller
+      include GrantTypesSupportedMixin
       WEBFINGER_RELATION = 'http://openid.net/specs/connect/1.0/issuer'
@@ -34,6 +35,7 @@ module Doorkeeper
           userinfo_endpoint: oauth_userinfo_url(userinfo_url_options),
           jwks_uri: oauth_discovery_keys_url(jwks_url_options),
           end_session_endpoint: instance_exec(&openid_connect.end_session_endpoint),
+          registration_endpoint: openid_connect.dynamic_client_registration ? oauth_dynamic_client_registration_url(dynamic_client_registration_url_options) : nil,
           scopes_supported: doorkeeper.scopes,
@@ -45,7 +47,7 @@ module Doorkeeper
           # TODO: look into doorkeeper-jwt_assertion for these
           #  'client_secret_jwt',
           #  'private_key_jwt'
-          token_endpoint_auth_methods_supported: %w[client_secret_basic client_secret_post],
+          token_endpoint_auth_methods_supported: token_endpoint_auth_methods_supported(doorkeeper),
           subject_types_supported: openid_connect.subject_types_supported,
@@ -73,20 +75,19 @@ module Doorkeeper
         }.compact
       end
-      def grant_types_supported(doorkeeper)
-        grant_types_supported = doorkeeper.grant_flows.dup
-        grant_types_supported << 'refresh_token' if doorkeeper.refresh_token_enabled?
-        grant_types_supported
-      end
       def response_modes_supported(doorkeeper)
         doorkeeper.authorization_response_flows.flat_map(&:response_mode_matches).uniq
       end
+      def token_endpoint_auth_methods_supported(doorkeeper)
+        mapping = { from_basic: 'client_secret_basic', from_params: 'client_secret_post' }
+        doorkeeper.client_credentials_methods.filter_map { |method| mapping[method] }
+      end
       def code_challenge_methods_supported(doorkeeper)
         return unless doorkeeper.access_grant_model.pkce_supported?
-        %w[plain S256]
+        doorkeeper.pkce_code_challenge_methods
       end
       def webfinger_response
@@ -136,7 +137,7 @@ module Doorkeeper
         end
       end
-      %i[authorization token revocation introspection userinfo jwks webfinger].each do |endpoint|
+      %i[authorization token revocation introspection userinfo jwks webfinger dynamic_client_registration].each do |endpoint|
         define_method :"#{endpoint}_url_options" do
           discovery_url_default_options.merge(discovery_url_options[endpoint.to_sym] || {})
         end

data/app/controllers/doorkeeper/openid_connect/dynamic_client_registration_controller.rb ADDED Viewed

@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+module Doorkeeper
+  module OpenidConnect
+    class DynamicClientRegistrationController < ::Doorkeeper::ApplicationMetalController
+      include GrantTypesSupportedMixin
+      def register
+        client = Doorkeeper::Application.create!(application_params)
+        render json: registration_response(client), status: :created
+      rescue ActiveRecord::RecordInvalid => e
+        render json: { error: "invalid_client_params", error_description: e.record.errors.full_messages.join(", ") },
+          status: :bad_request
+      end
+      private
+      def application_params
+        {
+          name: params.dig(:client_name),
+          redirect_uri: params.dig(:redirect_uris) || [],
+          scopes: params.dig(:scope),
+          confidential: false,
+        }
+      end
+      def registration_response(doorkeeper_application)
+        doorkeeper_config = ::Doorkeeper.configuration
+        {
+          client_secret: doorkeeper_application.plaintext_secret || doorkeeper_application.secret,
+          client_id: doorkeeper_application.uid,
+          client_id_issued_at: doorkeeper_application.created_at.to_i,
+          redirect_uris: doorkeeper_application.redirect_uri.split,
+          token_endpoint_auth_methods_supported: %w[client_secret_basic client_secret_post],
+          response_types: doorkeeper_config.authorization_response_types,
+          grant_types: grant_types_supported(doorkeeper_config),
+          scope: doorkeeper_application.scopes.to_s,
+          application_type: "web"
+        }
+      end
+    end
+  end
+end

data/lib/doorkeeper/openid_connect/config.rb CHANGED Viewed

@@ -79,6 +79,18 @@ module Doorkeeper
       option :discovery_url_options, default: lambda { |*_|
         {}
       }
+      option :dynamic_client_registration, default: false
+      option :open_id_request_class, default: 'Doorkeeper::OpenidConnect::Request'
+      # Doorkeeper OpenID Request model class.
+      #
+      # @return [ActiveRecord::Base, Mongoid::Document, Sequel::Model]
+      #
+      def open_id_request_model
+        @open_id_request_model ||= open_id_request_class.to_s.constantize
+      end
     end
   end
 end

data/lib/doorkeeper/openid_connect/helpers/controller.rb CHANGED Viewed

@@ -81,7 +81,10 @@ module Doorkeeper
             when 'login'
               reauthenticate_oidc_resource_owner(owner) if owner
             when 'consent'
-              render :new if owner
+              if owner
+                clear_oidc_response
+                render :new
+              end
             when 'select_account'
               select_account_for_oidc_resource_owner(owner)
             when 'create'
@@ -118,7 +121,13 @@ module Doorkeeper
           return_to.to_s
         end
+        def clear_oidc_response
+          self.response_body = nil
+          @_response_body = nil
+        end
         def reauthenticate_oidc_resource_owner(owner)
+          clear_oidc_response
           return_to = return_without_oidc_prompt_param('login')
           instance_exec(
@@ -135,6 +144,7 @@ module Doorkeeper
         end
         def select_account_for_oidc_resource_owner(owner)
+          clear_oidc_response
           return_to = return_without_oidc_prompt_param('select_account')
           instance_exec(

data/lib/doorkeeper/openid_connect/id_token.rb CHANGED Viewed

@@ -57,8 +57,16 @@ module Doorkeeper
         @access_token.application.try(:uid)
       end
+      def expires_in
+        if @expires_in.respond_to?(:call)
+          @expires_in.call(@resource_owner, @access_token.application)
+        else
+          @expires_in
+        end
+      end
       def expiration
-        (@issued_at.utc + @expires_in).to_i
+        (@issued_at.utc + expires_in).to_i
       end
       def issued_at

data/lib/doorkeeper/openid_connect/oauth/authorization/code.rb CHANGED Viewed

@@ -25,7 +25,7 @@ module Doorkeeper
           private
           def create_openid_request(access_grant)
-            ::Doorkeeper::OpenidConnect::Request.create!(
+            ::Doorkeeper::OpenidConnect.configuration.open_id_request_model.create!(
               access_grant: access_grant,
               nonce: pre_auth.nonce
             )

data/lib/doorkeeper/openid_connect/orm/active_record/access_grant.rb CHANGED Viewed

@@ -6,7 +6,7 @@ module Doorkeeper
       def self.prepended(base)
         base.class_eval do
           has_one :openid_request,
-            class_name: 'Doorkeeper::OpenidConnect::Request',
+            class_name: Doorkeeper::OpenidConnect.configuration.open_id_request_class,
             foreign_key: 'access_grant_id',
             inverse_of: :access_grant,
             dependent: :delete

data/lib/doorkeeper/openid_connect/orm/active_record/mixins/openid_request.rb ADDED Viewed

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+module Doorkeeper
+  module OpenidConnect
+    module Orm
+      module ActiveRecord
+        module Mixins
+          module OpenidRequest
+            extend ::ActiveSupport::Concern
+            included do
+              self.table_name = "#{table_name_prefix}oauth_openid_requests#{table_name_suffix}".to_sym
+              validates :access_grant_id, :nonce, presence: true
+              if Gem.loaded_specs['doorkeeper'].version >= Gem::Version.create('5.5.0')
+                belongs_to :access_grant,
+                           class_name: Doorkeeper.config.access_grant_class.to_s,
+                           inverse_of: :openid_request
+              else
+                belongs_to :access_grant,
+                           class_name: 'Doorkeeper::AccessGrant',
+                           inverse_of: :openid_request
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/doorkeeper/openid_connect/orm/active_record/request.rb CHANGED Viewed

@@ -1,21 +1,11 @@
 # frozen_string_literal: true
+require 'doorkeeper/openid_connect/orm/active_record/mixins/openid_request'
 module Doorkeeper
   module OpenidConnect
     class Request < ::ActiveRecord::Base
-      self.table_name = "#{table_name_prefix}oauth_openid_requests#{table_name_suffix}".to_sym
-      validates :access_grant_id, :nonce, presence: true
-      if Gem.loaded_specs['doorkeeper'].version >= Gem::Version.create('5.5.0')
-        belongs_to :access_grant,
-                   class_name: Doorkeeper.config.access_grant_class.to_s,
-                   inverse_of: :openid_request
-      else
-        belongs_to :access_grant,
-                   class_name: 'Doorkeeper::AccessGrant',
-                   inverse_of: :openid_request
-      end
+      include Orm::ActiveRecord::Mixins::OpenidRequest
     end
   end
 end

data/lib/doorkeeper/openid_connect/orm/active_record.rb CHANGED Viewed

@@ -9,6 +9,10 @@ module Doorkeeper
     module Orm
       module ActiveRecord
+        module Mixins
+          autoload :OpenidRequest, "doorkeeper/openid_connect/orm/active_record/mixins/openid_request"
+        end
         def run_hooks
           super
@@ -19,7 +23,7 @@ module Doorkeeper
           end
           if Doorkeeper.configuration.respond_to?(:active_record_options) && Doorkeeper.configuration.active_record_options[:establish_connection]
-            [Doorkeeper::OpenidConnect::Request].each do |c|
+            [Doorkeeper::OpenidConnect.configuration.open_id_request_model].each do |c|
               c.send :establish_connection, Doorkeeper.configuration.active_record_options[:establish_connection]
             end
           end
@@ -38,7 +42,7 @@ module Doorkeeper
             end
             if Doorkeeper.configuration.active_record_options[:establish_connection]
-              [Doorkeeper::OpenidConnect::Request].each do |c|
+              [Doorkeeper::OpenidConnect.configuration.open_id_request_model].each do |c|
                 c.send :establish_connection, Doorkeeper.configuration.active_record_options[:establish_connection]
               end
             end

data/lib/doorkeeper/openid_connect/rails/routes/mapping.rb CHANGED Viewed

@@ -10,12 +10,14 @@ module Doorkeeper
           def initialize
             @controllers = {
               userinfo: 'doorkeeper/openid_connect/userinfo',
-              discovery: 'doorkeeper/openid_connect/discovery'
+              discovery: 'doorkeeper/openid_connect/discovery',
+              dynamic_client_registration: 'doorkeeper/openid_connect/dynamic_client_registration'
             }
             @as = {
               userinfo: :userinfo,
-              discovery: :discovery
+              discovery: :discovery,
+              dynamic_client_registration: :dynamic_client_registration
             }
             @skips = []

data/lib/doorkeeper/openid_connect/rails/routes.rb CHANGED Viewed

@@ -26,9 +26,15 @@ module Doorkeeper
         def generate_routes!(options)
           @mapping = Mapper.new.map(&@block)
+          openid_connect = ::Doorkeeper::OpenidConnect.configuration
           routes.scope options[:scope] || 'oauth', as: 'oauth' do
             map_route(:userinfo, :userinfo_routes)
             map_route(:discovery, :discovery_routes)
+            if openid_connect.dynamic_client_registration
+              map_route(:dynamic_client_registration, :dynamic_client_registration_routes)
+            end
           end
           routes.scope as: 'oauth' do
@@ -66,6 +72,10 @@ module Doorkeeper
             routes.get :webfinger
           end
         end
+        def dynamic_client_registration_routes
+          routes.post :register, path: 'registration', as: ''
+        end
       end
     end
   end

data/lib/doorkeeper/openid_connect/version.rb CHANGED Viewed

@@ -2,6 +2,12 @@
 module Doorkeeper
   module OpenidConnect
-    VERSION = '1.8.11'
+    MAJOR = 1
+    MINOR = 9
+    TINY = 0
+    PRE = nil
+    # Full version number
+    VERSION = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end
 end

data/lib/doorkeeper/openid_connect.rb CHANGED Viewed

@@ -38,15 +38,26 @@ require 'doorkeeper/openid_connect/rails/routes'
 module Doorkeeper
   module OpenidConnect
     def self.signing_algorithm
-      configuration.signing_algorithm.to_s.upcase.to_sym
+      algo = if configuration.signing_algorithm.respond_to?(:call)
+        configuration.signing_algorithm.call
+      else
+        configuration.signing_algorithm
+      end
+      algo.to_s.upcase.to_sym
     end
     def self.signing_key
+      key_value = if configuration.signing_key.respond_to?(:call)
+        configuration.signing_key.call
+      else
+        configuration.signing_key
+      end
       key =
         if %i[HS256 HS384 HS512].include?(signing_algorithm)
-          configuration.signing_key
+          key_value
         else
-          OpenSSL::PKey.read(configuration.signing_key)
+          OpenSSL::PKey.read(key_value)
         end
       ::JWT::JWK.new(key, { kid_generator: ::JWT::JWK::Thumbprint })
     end

data/lib/generators/doorkeeper/openid_connect/templates/initializer.rb CHANGED Viewed

@@ -30,12 +30,6 @@ Doorkeeper::OpenidConnect.configure do
     # redirect_to new_user_session_url
   end
-  # Depending on your configuration, a DoubleRenderError could be raised
-  # if render/redirect_to is called at some point before this callback is executed.
-  # To avoid the DoubleRenderError, you could add these two lines at the beginning
-  #  of this callback: (Reference: https://github.com/rails/rails/issues/25106)
-  #   self.response_body = nil
-  #   @_response_body = nil
   select_account_for_resource_owner do |resource_owner, return_to|
     # Example implementation:
     # store_location_for resource_owner, return_to
@@ -59,6 +53,28 @@ Doorkeeper::OpenidConnect.configure do
   # Expiration time on or after which the ID Token MUST NOT be accepted for processing. (default 120 seconds).
   # expiration 600
+  # Enable dynamic client registration (default false)
+  # dynamic_client_registration true
+  # You can use your own model class if you need to extend (or even override) the default
+  # Doorkeeper::OpenidConnect::Request model (e.g. to use a different database connection).
+  #
+  # By default Doorkeeper OpenID Connect uses:
+  #
+  # open_id_request_class "Doorkeeper::OpenidConnect::Request"
+  #
+  # Don't forget to include the OpenID Connect ORM mixin into your custom model:
+  #
+  #   * ::Doorkeeper::OpenidConnect::Orm::ActiveRecord::Mixins::OpenidRequest
+  #
+  # For example:
+  #
+  # open_id_request_class "MyOpenidRequest"
+  #
+  # class MyOpenidRequest < ApplicationRecord
+  #   include ::Doorkeeper::OpenidConnect::Orm::ActiveRecord::Mixins::OpenidRequest
+  # end
   # Example claims:
   # claims do
   #   normal_claim :_foo_ do |resource_owner|

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: doorkeeper-openid_connect
 version: !ruby/object:Gem::Version
-  version: 1.8.11
+  version: 1.9.0
 platform: ruby
 authors:
 - Sam Dengler
@@ -10,7 +10,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-02-10 00:00:00.000000000 Z
+date: 2026-03-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: doorkeeper
@@ -21,7 +21,7 @@ dependencies:
         version: '5.5'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '5.9'
+        version: '6.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -31,7 +31,7 @@ dependencies:
         version: '5.5'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '5.9'
+        version: '6.0'
 - !ruby/object:Gem::Dependency
   name: ostruct
   requirement: !ruby/object:Gem::Requirement
@@ -185,7 +185,9 @@ files:
 - LICENSE.txt
 - README.md
 - app/controllers/concerns/doorkeeper/openid_connect/authorizations_extension.rb
+- app/controllers/concerns/doorkeeper/openid_connect/grant_types_supported_mixin.rb
 - app/controllers/doorkeeper/openid_connect/discovery_controller.rb
+- app/controllers/doorkeeper/openid_connect/dynamic_client_registration_controller.rb
 - app/controllers/doorkeeper/openid_connect/userinfo_controller.rb
 - config/locales/en.yml
 - lib/doorkeeper/oauth/id_token_request.rb
@@ -211,6 +213,7 @@ files:
 - lib/doorkeeper/openid_connect/oauth/token_response.rb
 - lib/doorkeeper/openid_connect/orm/active_record.rb
 - lib/doorkeeper/openid_connect/orm/active_record/access_grant.rb
+- lib/doorkeeper/openid_connect/orm/active_record/mixins/openid_request.rb
 - lib/doorkeeper/openid_connect/orm/active_record/request.rb
 - lib/doorkeeper/openid_connect/rails/routes.rb
 - lib/doorkeeper/openid_connect/rails/routes/mapper.rb